[Snort-users] About syslog messages in snort

Robert Millott robm at ...16885...
Fri Nov 21 10:20:52 EST 2014


Yes, but you can set a unique id to events from each individual snort
instance.  I don't have the code in front of me, but you can start one
instance of snort like:

snort -c snort.conf -G01
and the second as
snort -c snort2.conf -G02

Then the alerts from each instance will have that 01 or 02 in the alerts.

How you separate them, and what you do once you have them identified, I'm
not sure, but at least this lets you identify which alert came from which
instance


On Fri, Nov 21, 2014 at 8:47 AM, C. L. Martinez <carlopmart at ...11827...>
wrote:

> Thanks Robert, but according to snort's docs -G flag it is for eventid
> generated by one sensor ... Right??
>
> On Fri, Nov 21, 2014 at 1:22 PM, Robert Millott
> <robm at ...16885...> wrote:
> > Check out the -G option for starting snort.
> >
> > Also google it. I had some problems with it a few months back, but
> finally
> > got it figured out. I think I posted the results, but if you need some
> more
> > help, I can share what I've done.
> >
> > On Fri, Nov 21, 2014 at 2:34 AM, C. L. Martinez <carlopmart at ...11827...>
> > wrote:
> >>
> >> Hi all
> >>
> >>  I have installed two snort instances in one host (both are snort
> >> 2.9.7.0). One snort instance has so_rules only and the other instance
> >> the rest of the rules.
> >>
> >>  Ok. I need to differentiate syslog messages between these snort
> >> processes using, for example, a specific entry like "snort_so-sensor1"
> >> or "snort-sensor2" and, if it is possible, redirect all snort's syslog
> >> entries to a different log file.
> >>
> >>  Exists some option when snort starts or inside conf file to do this??
> >>
> >>  I don't see anything about this in snort docs.
> >>
> >>  Thanks.
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> >> with Interactivity, Sharing, Native Excel Exports, App Integration &
> more
> >> Get technology previously reserved for billion-dollar corporations, FREE
> >>
> >>
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> Snort
> >> news!
> >
> >
> >
> >
> > --
> > Robert Millott
> > President, Millott and Associates
> > (443) 255-3588
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Robert Millott
President, Millott and Associates
(443) 255-3588
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141121/660ee019/attachment.html>


More information about the Snort-users mailing list